#!

###########################
# Firewall Settings Certificate-Inspection / SSL-SSH-Profile
###########################
config firewall ssl-ssh-profile
edit mydomain1-url-scan.local
set comment "Encrypted URL Scan Only default profile mydomain1.ch"
config ssl
set inspect-all disable
end
config https
set ports 443
set status certificate-inspection 
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block 
end
config ftps
set ports 990
set status disable
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block 
end
config imaps
set ports 993
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block
end
config pop3s
set ports 995
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block
end
config smtps
set ports 465
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block 
end
set server-cert-mode re-sign 
set caname Fortinet_CA_SSLProxy 
set untrusted-caname Fortinet_CA_Untrusted 
set certname Fortinet_SSLProxy 
# config ssl-server
set ssl-invalid-server-cert-log enable 
set use-ssl-server disable 
next
end
###########################
# Firewall Settings None-Encription / SSL-SSH-Profile
###########################
config firewall ssl-ssh-profile
edit mydomain1-default.local
set comment "None Encrypted default profile mydomain1.ch"
config ssl
set inspect-all disable
end
config https
set ports 443
set status disable
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block 
end
config ftps
set ports 990
set status disable
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block 
end
config imaps
set ports 993
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block
end
config pop3s
set ports 995
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block
end
config smtps
set ports 465
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert disable 
set untrusted-cert block 
end
set server-cert-mode re-sign 
set caname Fortinet_CA_SSLProxy 
set untrusted-caname Fortinet_CA_Untrusted 
set certname Fortinet_SSLProxy 
# config ssl-server
set ssl-invalid-server-cert-log enable 
set use-ssl-server disable 
next
end
###########################
# Firewall Settings Protocol Options
###########################
config firewall profile-protocol-options
edit "mydomain1-default.local"
set comment "Unencrypted default profile mydomain1.ch"
unset replacemsg-group
set oversize-log enable
set switching-protocols-log enable
config http
set ports 80    
set status enable     
set inspect-all disable     
set options clientcomfort     
set comfort-interval 10    
set comfort-amount 1
set range-block disable 
unset post-lang
set fortinet-bar disable     
set streaming-content-bypass enable     
set switching-protocols bypass     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable     
set block-page-status-code 200    
set retry-count 0
end
config ftp
set ports 21    
set status enable     
set inspect-all disable     
set options clientcomfort     
set comfort-interval 10    
set comfort-amount 1    
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable 
end
config imap
set ports 143    
set status enable     
set inspect-all disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable 
end
config mapi
set ports 135    
set status disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable
end
config pop3
set ports 110    
set status enable     
set inspect-all disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable
end
config smtp
set ports 25    
set status enable     
set inspect-all disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable     
set server-busy disable
end
config nntp
set ports 119    
set status disable     
set inspect-all disable
unset options     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable 
end
config dns
set ports 53    
set status enable 
end
config mail-signature
set status disable 
unset signature
end
set rpc-over-http enable 
next
end
###########################
# Firewall DDoS Policy
###########################
config firewall DoS-policy
edit 1
set interface "wan1"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit "tcp_syn_flood"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 2000
next
edit  "tcp_port_scan"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 1000
next
edit "tcp_src_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 5000
next
edit "tcp_dst_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 5000
next
edit "udp_flood"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 2000
next
edit "udp_scan"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 2000
next
edit "udp_src_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 5000
next
edit "udp_dst_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 5000
next
edit "icmp_flood"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 250
next
edit "icmp_sweep"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 100
next
edit "icmp_src_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 300
next
edit "icmp_dst_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 1000
next
edit "ip_src_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 5000
next
edit "ip_dst_session"
set status enable
set log enable
set action block 
set quarantine attacker 
set quarantine-expiry 15m
set quarantine-log enable 
set threshold 5000
next
edit "sctp_flood"
set threshold 2000
next
edit "sctp_scan"
set threshold 1000
next
edit "sctp_src_session"
set threshold 5000
next
edit "sctp_dst_session"
set threshold 5000
next
end
next
end
###########################
# Firewall Traffic Shaper
###########################
config firewall shaper traffic-shaper
edit "mydomain1-high-priority.intra"
set guaranteed-bandwidth 0
set maximum-bandwidth 1048576
set priority high
set per-policy enable
set diffserv disable
next
edit "mydomain1-medium-priority.intra"
set guaranteed-bandwidth 0
set maximum-bandwidth 1048576
set priority medium
set per-policy enable
set diffserv disable
next
edit "mydomain1-low-priority.intra"
set guaranteed-bandwidth 0
set maximum-bandwidth 1048576
set priority low
set per-policy enable
set diffserv disable
next
edit "mydomain1-guarantee-100kbps.intra"
set guaranteed-bandwidth 100
set maximum-bandwidth 1048576
set priority high
set per-policy enable
set diffserv disable
next
edit "mydomain1-shared-1M-pipe.intra"
set guaranteed-bandwidth 0
set maximum-bandwidth 1024
set priority high
set per-policy disable
set diffserv disable
next
edit "mydomain1-shaping-incoming-voip"
set guaranteed-bandwidth 128
set maximum-bandwidth 640
set priority high
set per-policy disable
set diffserv disable
next
edit "mydomain1-shaping-outgoing-voip"
set guaranteed-bandwidth 128
set maximum-bandwidth 3840
set priority high
set per-policy disable
set diffserv disable
next
end 
###########################
# Firewall SSL Setting
###########################
config firewall ssl setting
set proxy-connect-timeout 30
set ssl-dh-bits 2048
set ssl-send-empty-frags enable
set no-matching-cipher-action bypass
set cert-cache-capacity 200
set cert-cache-timeout 10
set session-cache-capacity 500
set session-cache-timeout 20
end